[Zope] Reversible encryption on passwords?
Stefan H. Holek
stefan@epy.co.at
Thu, 20 Mar 2003 19:26:18 +0100
Keeping private keys on connected servers is an all-around bad idea. All I=20
need to do is break into your box. Can do. ;-)
Also, password garbling schemes are intentionally one-way. Otherwise you=20
won't gain much in terms of security.
Some explanations of the issues involved can be found here:
<http://www.gnu.org/manual/glibc-2.2.5/html_node/crypt.html>
HTH,
Stefan
--On Donnerstag, 20. M=E4rz 2003 09:15 -0800 Terry Hancock=20
<hancock@anansispaceworks.com> wrote:
> Suppose I use a private key to encrypt/decrypt the password
> data for storage in the database. The key might be stored on
> the server's filesystem or be retrieved from a more secure computer,
> but it would be used to encrypt the data for storage and then
> to decrypt it for authentication. You could do this with public-key
> cryptography, too, but it's not clear to me that there is an
> advantage to that.
--
Those who write software only for pay should go hurt some other field.
/Erik Naggum/